Definition of sensitive personal data

Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the Kingdom of Saudi Arabia (KSA). In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by the government.

At this time, there is no specific data protection legislation in place in the KSA (although we understand that a new freedom of information and protection of private data law is under review by the formal advisory body of KSA, the Shura Council). Shari'a principles generally protect the privacy and personal data of individuals.

That said, there are certain secular regulations passed by government, which, although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts.

There may also be specific regulations applicable to certain industries, for example, in banking, which is regulated by the Saudi Arabian Monetary Authority (SAMA).

At this time, there is no clear designated authority responsible for the enforcement of data protection and privacy equivalent to, say, the Information Commissioner in the United Kingdom. That said, specific authorities are tasked with enforcing breaches of other legislation that is in place in the KSA.

Electronic marketing is regulated by the Communications and Information Technology Commission, and is subject to various requirements. Generally, it is advisable to obtain prior consent before sending electronic marketing messages to individuals in KSA.